Re: [Opensc-devel] Cannot delete data object on Feitian ePass2003

[Florent D. <fde...@gm...>]

Hello Ondrej,

Thanks very much for taking the time to explain this to me.

I guessed it was an ACL problems, I even tried to modify the profile file
but in the wrong section.
And as you precised, the ACL are applied when a file is created on token.
I thought they would be applied during the PKCS15 initialization once and
for all. It seems I was wrong!

However, opensc-explorer doesn't give me much information about the ACL.
Or do I need to "decrypt" the security attributes?

florent@ubuntu12-10:~# opensc-explorer
> OpenSC Explorer version 0.13.0rc1
> Using reader with a card: Feitian ePass2003 00 00
> OpenSC [3F00]> cd 5015
> OpenSC [3F00/5015]> info 3400
>
> Elementary File  ID 3400
>
> File path:     3F00/5015/3400
> File size:     64 bytes
> EF structure:  Transparent
> ACL for READ:         N/A
> ACL for UPDATE:       N/A
> ACL for DELETE:       N/A
> ACL for WRITE:        N/A
> ACL for REHABILITATE: N/A
> ACL for INVALIDATE:   N/A
> ACL for LIST FILES:   N/A
> ACL for CRYPTO:       N/A
> Security attributes:     96 96 FF 9F FF FF FF FF
>

So I guess it is possible to modify the ACL, right ?

By the way how do I read the ACL? Does the first one takes precedence over
the others? i.e. the "NEVER" directive is for READ and UPDATE action, no?

> *=NEVER,READ=$PIN,UPDATE=$PIN;
>

But if I can't read it I will never be able to use my object, right?

Would it be possible to use the following ACL, then?

ACL = READ=$PIN,UPDATE=NEVER;
>

What would be the collateral consequences of that? I mean, will other
objects be affected by this change?

Again, thanks,

Cheers


2013/3/28 Ondrej Mikle <ond...@ni...>

> On 03/28/2013 09:19 AM, Florent Deybach wrote:
> > *As you can see, the object is present :*
> > **
> > *
> >
> >     *root@ubuntu12-10:~# pkcs15-tool --dump*
> >
> >     *Using reader with a card: Feitian ePass2003 00 00*
> >
> >     *[...]*
> >     *Data object 'cleTruecrypt'*
> >     *applicationName: cleTruecrypt*
> >     *Path: 3f0050153400*
> >     *Auth ID: 01*
>
> My guess would be that the default ACLs prevent deleting the file. If you
> look
> at /usr/share/opensc/epass2003.profile, there is the following part
> describing
> ACLs for 3f00/5015/34xx files:
>
>         # data objects are stored in transparent EFs.
>         EF privdata {
>     file-id             = 3400;
>         structure       = transparent;
>                         ACL                     =
> *=NEVER,READ=$PIN,UPDATE=$PIN;
>         }
>
> That means the ACL for delete is NEVER, i.e. even PIN authorization won't
> suffice for deletion of this file. It would be consistent with the log you
> posted - the authenticate APDU instruction goes through OK, but erasing in
> the
> last APDU fails with SW 0x69 0x82 "security status not satisfied".
>
> AFAIK you won't be able to delete the file without erasing the card
> (pkcs15-init
> -E) or erasing the parent DF 5015.
>
> Note that the ACLs from the profile are applied at the moment a file is
> created
> on token (like key or data object).
>
> Ondrej
>
>
> ------------------------------------------------------------------------------
> Own the Future-Intel&reg; Level Up Game Demo Contest 2013
> Rise to greatness in Intel's independent game demo contest.
> Compete for recognition, cash, and the chance to get your game
> on Steam. $5K grand prize plus 10 genre and skill prizes.
> Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>